How should senders handle gray-area data sources responsibly?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've got a pile of business cards from a conference three years ago. Or a spreadsheet from a partner who "highly likely they opted in." Or a list scraped from public LinkedIn profiles. These are gray-area data sources, and they're riskier than they look.

The honest test: would this person recognize your name in their inbox and feel like they asked to hear from you? If the answer is "probably not," you're carrying real risk even if you can technically argue consent existed at some point.

The responsible path before mailing is a re-permission campaign. Send a single email from your domain explaining who you are and asking them to confirm they want to hear from you. Yes, you'll lose most of the list. That's fine. The people who confirm are actually worth mailing. The rest were never going to convert and would only hurt your sender reputation.

Document your reasoning. If a regulator asks why you emailed someone who later filed a complaint, "we ran a re-permission campaign in [month] and they confirmed" is defensible. "We inherited this list from a 2018 trade show" is not.

One more thing: validate the list before you even start re-permissioning. Sending to dead addresses and spam traps to ask "do you want to hear from us?" will damage your reputation before you get a single response. Review My Emails' list cleaning can catch those before they cause problems.

If you want to understand what valid consent actually looks like, that's worth reading before you decide how to handle a gray-area source.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me decide what to do with this list

I have some email addresses from a source with uncertain consent history. Here's my situation: - Source type: business cards / partner list / public directory / other - How old the data is: months/years - Number of addresses: count - Geographic regions: EU / US / other - My current ESP: name Help me decide whether to run a re-permission campaign, suppress the list entirely, or clean and proceed with caution. Include any risks I should document.

Edit the yellow boxes, then send to the AI of your choice.